In this post, I'm going to veer away from the network security side of Splunk and more on the network operations side of things by introducing the Cisco Networks Splunk app. This app will gather syslog and Call Home data from various network devices in the network and visualize it in some rather interesting ways.

Prior to configuring this, I downloaded and installed the following apps onto my Splunk instance:

Prior to configuring the data sources on Splunk, I went ahead and configure my various routers, switches, wireless controllers, FTD appliance, and access points to send syslog and Call Home data to Splunk.

For the IOS devices such as my routers and switches, I configured various parts of syslog as follows:

On the wireless controller, I configured Splunk as the syslog server under Management>Logs>Config as shown below and ended up changing the syslog level to informational.

If you would like to configure the access points to send their syslog data to Splunk as well, I would recommend first making sure there is a DHCP reservation for the access points. After that's done, log into the wireless controller and issue the following command:

config ap syslog host global 10.1.100.20

This will push the configuration to the APs to send syslog data to Splunk.

In Splunk, we are now going to configure the data sources. Go to Add Data and choose TCP/UDP. On the first page, configure the following:

UDP

Port: 514

Only access connection from: hostname or IP of the device sending the syslog traffic

Click Next

On the next page, configure the following:

Source type: cisco:ios

Host: IP

Index: Default or whichever one you would like

Click Review and finish the configuration.

For the devices you configured for Call Home, you will go back to Add Data and under TCP/UDP, choose the following:

TCP

Port: 847 (Note: I chose this port at random and configured it above on the IOS devices. You could pick one of your own)

Only accept connection from: IP or hostname of the device sending the call home data

Click Next.

On the next page, configure the following:

Source type: Cisco:SmartCallHome

Host: IP

Index: Default or whichever index you created

Click Review and finish.

After you finish configuring your data sources, go to the Cisco Networks app. You should now see data starting to populate on the dashboard.

As one can see, the data can be parsed easily by IOS device, WLC, or APs to show different views of each quickly as shown below.

Below is an example of the configuration change transactions as logged on Splunk: